- name: kubernetes.certmanager.certificate
  rules:
  - alert: CertificateSecretExpiredSoon
    expr: |
      max by (name, namespace) (
        cert_exporter_secret_not_after{job="cert-exporter", secretkey!="ca.crt"} - time() < 1209600
      ) * on (namespace) group_left() max by (namespace) (extended_monitoring_enabled)
    for: 1h
    labels:
      severity_level: "8"
    annotations:
      plk_protocol_version: "1"
      plk_markup_format: "markdown"
      plk_create_group_if_not_exists__certificate_secret_expiration: "CertificateSecretExpiration,tier=~tier,prometheus=deckhouse,kubernetes=~kubernetes"
      plk_grouped_by__certificate_secret_expiration: "CertificateSecretExpiration,tier=~tier,prometheus=deckhouse,kubernetes=~kubernetes"
      summary: Certificate will expire soon.
      description: |
        Certificate in secret {{$labels.namespace}}/{{$labels.name}} will expire in less than 2 weeks

        - If the certificate is manually managed, upload a newer one.
        - If certificate is managed by cert-manager, try inspecting certificate resource, the recommended course of action:
          1. Retrieve certificate name from the secret: `cert=$(kubectl get secret -n {{$labels.namespace}} {{$labels.name}} -o 'jsonpath={.metadata.annotations.cert-manager\.io/certificate-name}')`
          2. View the status of the Certificate and try to figure out why it is not updated: `kubectl describe cert -n {{$labels.namespace}} "$cert"`

  - alert: CertificateSecretExpired
    expr: |
      max by (name, namespace) (
        cert_exporter_secret_not_after{job="cert-exporter", secretkey!="ca.crt"} - time() < 0
      ) * on (namespace) group_left() max by (namespace) (extended_monitoring_enabled)
    for: 1h
    labels:
      severity_level: "8"
    annotations:
      plk_protocol_version: "1"
      plk_markup_format: "markdown"
      plk_create_group_if_not_exists__certificate_secret_expiration: "CertificateSecretExpiration,tier=~tier,prometheus=deckhouse,kubernetes=~kubernetes"
      plk_grouped_by__certificate_secret_expiration: "CertificateSecretExpiration,tier=~tier,prometheus=deckhouse,kubernetes=~kubernetes"
      summary: Certificate expired
      description: |
        Certificate in secret {{$labels.namespace}}/{{$labels.name}} expired.

        - If the certificate is manually managed, upload a newer one.
        - If the certificate is managed by cert-manager, try inspecting certificate resource, the recommended course of action:
          1. Retrieve certificate name from the secret: `cert=$(kubectl get secret -n {{$labels.namespace}} {{$labels.name}} -o 'jsonpath={.metadata.annotations.cert-manager\.io/certificate-name}')`
          2. View the status of the Certificate and try to figure out why it is not updated: `kubectl describe cert -m {{$labels.namespace}} "$cert"`
